icexloader | 060fadd3d3457e00c562d2cd3810ee1b8ce96bbb5550006468270ea45bb7b7c3

General

Target

926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe
Size

347KB
MD5

f215f4d6043bc0c81d8beafcce0aabb2
SHA1

7168feb0237b8cc9a49dd53d7a6b4e26b7037e66
SHA256

926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496
SHA512

cea505712e00e926e1fe98cd6b67d064ff2871d785267ecbd2c3367e6cbc09c494e5b763030636dca4d1f7f0a0fe50dbe9f85ef1b21021f7220b2c56a2177bf6

Score

10^/10

icexloader loader persistence

Malware Config

Signatures

Detects IceXLoader v3.0 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WindowsDefenderAgent.exe.exe	family_icexloader_v3
C:\Users\Admin\AppData\Roaming\WindowsDefenderAgent.exe.exe	family_icexloader_v3

icexloader
IceXLoader is a downloader used to deliver other malware families.
loader icexloader
Executes dropped EXE 1 IoCs

Processes:

WindowsDefenderAgent.exe.exe

pid process

4816 WindowsDefenderAgent.exe.exe

pid	process
4816	WindowsDefenderAgent.exe.exe

Drops startup file 1 IoCs

Processes:

926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefenderAgent.exe.exe	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderAgent.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsDefenderAgent.exe.exe\""	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderAgent.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsDefenderAgent.exe.exe\""	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1412 timeout.exe
1180 timeout.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1780 powershell.exe
1780 powershell.exe
4360 powershell.exe
4360 powershell.exe
1548 powershell.exe
1548 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1780 powershell.exe
Token: SeDebugPrivilege 4360 powershell.exe
Token: SeDebugPrivilege 1548 powershell.exe

pid	process
1412	timeout.exe
1180	timeout.exe

pid	process
1780	powershell.exe
1780	powershell.exe
4360	powershell.exe
4360	powershell.exe
1548	powershell.exe
1548	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.execmd.execmd.exeWindowsDefenderAgent.exe.execmd.exe

description	pid	process	target process
PID 2448 wrote to memory of 5096	2448	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe	cmd.exe
PID 2448 wrote to memory of 5096	2448	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe	cmd.exe
PID 2448 wrote to memory of 5096	2448	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe	cmd.exe
PID 2448 wrote to memory of 2068	2448	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe	cmd.exe
PID 2448 wrote to memory of 2068	2448	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe	cmd.exe
PID 2448 wrote to memory of 2068	2448	926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe	cmd.exe
PID 2068 wrote to memory of 1180	2068	cmd.exe	timeout.exe
PID 2068 wrote to memory of 1180	2068	cmd.exe	timeout.exe
PID 2068 wrote to memory of 1180	2068	cmd.exe	timeout.exe
PID 5096 wrote to memory of 1412	5096	cmd.exe	timeout.exe
PID 5096 wrote to memory of 1412	5096	cmd.exe	timeout.exe
PID 5096 wrote to memory of 1412	5096	cmd.exe	timeout.exe
PID 5096 wrote to memory of 4816	5096	cmd.exe	WindowsDefenderAgent.exe.exe
PID 5096 wrote to memory of 4816	5096	cmd.exe	WindowsDefenderAgent.exe.exe
PID 5096 wrote to memory of 4816	5096	cmd.exe	WindowsDefenderAgent.exe.exe
PID 4816 wrote to memory of 2124	4816	WindowsDefenderAgent.exe.exe	cmd.exe
PID 4816 wrote to memory of 2124	4816	WindowsDefenderAgent.exe.exe	cmd.exe
PID 4816 wrote to memory of 2124	4816	WindowsDefenderAgent.exe.exe	cmd.exe
PID 2124 wrote to memory of 1780	2124	cmd.exe	powershell.exe
PID 2124 wrote to memory of 1780	2124	cmd.exe	powershell.exe
PID 2124 wrote to memory of 1780	2124	cmd.exe	powershell.exe
PID 2124 wrote to memory of 4360	2124	cmd.exe	powershell.exe
PID 2124 wrote to memory of 4360	2124	cmd.exe	powershell.exe
PID 2124 wrote to memory of 4360	2124	cmd.exe	powershell.exe
PID 2124 wrote to memory of 1548	2124	cmd.exe	powershell.exe
PID 2124 wrote to memory of 1548	2124	cmd.exe	powershell.exe
PID 2124 wrote to memory of 1548	2124	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe
"C:\Users\Admin\AppData\Local\Temp\926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c timeout 2 & "C:\Users\Admin\AppData\Roaming\WindowsDefenderAgent.exe.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - Delays execution with timeout.exe
    PID:1412
- - C:\Users\Admin\AppData\Roaming\WindowsDefenderAgent.exe.exe
    "C:\Users\Admin\AppData\Roaming\WindowsDefenderAgent.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\file.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionExtension "C:\Users\Admin\AppData\Roaming\WindowsDefenderAgent.exe\.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4360
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
- C:\Windows\SysWOW64\cmd.exe
  cmd /c timeout 1 & del /F "C:\Users\Admin\AppData\Local\Temp\926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0eb8b736be3a55aa57989883845511d0

SHA1
8e45a07823e5fdfca1d7df8999f771aca682a928

SHA256
197121513d8a71ccbf774b7695251520d78a6e3d7ae8e3be96c5095524e4f062

SHA512
ac4e19f3b9ec1a4edc2d2fdfca228eb8dad6ba55428c99aca8790b98bfb108ce3f2e18dfc59c38dcd04d42947252f7f254d65d0c2d272c48c7f688264bce21ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9baaa0d2a862081a2e4fa331266bc65c

SHA1
5314b47136023562a2ed2fef86c3e71a7220fb30

SHA256
e3469f5d42260af070f967f971fccd1dc401db4bc697f2305234128c71851d1e

SHA512
46aa9f6a381e1f057cd605c65ce54f9700606f22139da14b8409259996971f68f1998a6f8a5059de3dbc7735e1024494813e1123c3cc9e45cf1ceed1fe4e9485

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.bat

Filesize
258B

MD5
954231b1d097e6d3b68366b219f24460

SHA1
3be2c3d74d95b1c6470638edf6c904cadcd93b8e

SHA256
d9d1529df835ddaea27342f27911bc9bb007371a73af3f093e573f2d7c2ece71

SHA512
4540a44cbef24c8beef87f240c1fadea25b1f428b0fe28d60772722c2b33aad4b053b5c58f069b3f6ebd27e8483c51c88a00e85c1f10c6abe242598439c6a46f

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsDefenderAgent.exe.exe

Filesize
347KB

MD5
f215f4d6043bc0c81d8beafcce0aabb2

SHA1
7168feb0237b8cc9a49dd53d7a6b4e26b7037e66

SHA256
926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496

SHA512
cea505712e00e926e1fe98cd6b67d064ff2871d785267ecbd2c3367e6cbc09c494e5b763030636dca4d1f7f0a0fe50dbe9f85ef1b21021f7220b2c56a2177bf6

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsDefenderAgent.exe.exe

Filesize
347KB

MD5
f215f4d6043bc0c81d8beafcce0aabb2

SHA1
7168feb0237b8cc9a49dd53d7a6b4e26b7037e66

SHA256
926ba0e1031bcc982a6a7280b5b41616a245c7d94829c1d362d6585320bbb496

SHA512
cea505712e00e926e1fe98cd6b67d064ff2871d785267ecbd2c3367e6cbc09c494e5b763030636dca4d1f7f0a0fe50dbe9f85ef1b21021f7220b2c56a2177bf6

Download Submit
memory/1180-132-0x0000000000000000-mapping.dmp

Download
memory/1412-133-0x0000000000000000-mapping.dmp

Download
memory/1548-162-0x0000000071070000-0x00000000710BC000-memory.dmp

Filesize
304KB

Download
memory/1548-160-0x0000000000000000-mapping.dmp

Download
memory/1780-146-0x00000000061F0000-0x0000000006222000-memory.dmp

Filesize
200KB

Download
memory/1780-149-0x0000000007520000-0x0000000007B9A000-memory.dmp

Filesize
6.5MB

Download
memory/1780-142-0x0000000005360000-0x0000000005382000-memory.dmp

Filesize
136KB

Download
memory/1780-143-0x0000000005400000-0x0000000005466000-memory.dmp

Filesize
408KB

Download
memory/1780-144-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/1780-145-0x0000000005BE0000-0x0000000005BFE000-memory.dmp

Filesize
120KB

Download
memory/1780-139-0x0000000000000000-mapping.dmp

Download
memory/1780-147-0x0000000071070000-0x00000000710BC000-memory.dmp

Filesize
304KB

Download
memory/1780-148-0x00000000061B0000-0x00000000061CE000-memory.dmp

Filesize
120KB

Download
memory/1780-140-0x0000000004650000-0x0000000004686000-memory.dmp

Filesize
216KB

Download
memory/1780-150-0x0000000006EE0000-0x0000000006EFA000-memory.dmp

Filesize
104KB

Download
memory/1780-151-0x0000000006F40000-0x0000000006F4A000-memory.dmp

Filesize
40KB

Download
memory/1780-152-0x0000000007170000-0x0000000007206000-memory.dmp

Filesize
600KB

Download
memory/1780-153-0x0000000007120000-0x000000000712E000-memory.dmp

Filesize
56KB

Download
memory/1780-154-0x0000000007210000-0x000000000722A000-memory.dmp

Filesize
104KB

Download
memory/1780-155-0x0000000007160000-0x0000000007168000-memory.dmp

Filesize
32KB

Download
memory/1780-141-0x0000000004D30000-0x0000000005358000-memory.dmp

Filesize
6.2MB

Download
memory/2068-131-0x0000000000000000-mapping.dmp

Download
memory/2124-137-0x0000000000000000-mapping.dmp

Download
memory/4360-156-0x0000000000000000-mapping.dmp

Download
memory/4360-159-0x0000000071070000-0x00000000710BC000-memory.dmp

Filesize
304KB

Download
memory/4816-134-0x0000000000000000-mapping.dmp

Download
memory/5096-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads